[Moved to #4057] Apply SOURCE_DATE_EPOCH to the files and the whiteouts inside OCI tar layers

[AkihiroSuda]

EDIT: Moved to #4057

---

Propagate the build-arg:SOURCE_DATE_EPOCH opt value to the differ, to limit the upper bound of the file timestamps and set the whiteout timestamps.

With this commit, the following workarounds mentioned in docs/build-repro.md are no longer needed for reproducible builds:

# Limit the timestamp upper bound to SOURCE_DATE_EPOCH.
# Workaround for https://github.com/moby/buildkit/issues/3180
ARG SOURCE_DATE_EPOCH
RUN find $( ls / | grep -E -v "^(dev|mnt|proc|sys)$" ) -newermt "@${SOURCE_DATE_EPOCH}" -writable -xdev | xargs touch --date="@${SOURCE_DATE_EPOCH}" --no-dereference

# Squash the entire stage for resetting the whiteout timestamps.
# Workaround for https://github.com/moby/buildkit/issues/3168
FROM scratch
COPY --from=0 / /

Limitations:

• containerd 1.7 is needed for the containerd worker mode. (containerd/containerd@9c9f564)

Backup

ac6f97b (withdrew due to dependency on ctx)

[tonistiigi]

I don't understand how this is safe. If the blob already exists, then just the blob is used without any timestamp check. If the first build uses one epoch and the second uses another or no epoch at all then the second build gets epoch from the first build.

[AkihiroSuda]

Now validated in cache/blobs.go:blobExistsWithSourceDateEpoch()

[ReillyBrogan]

Is this and #3263 still blocked?

[AkihiroSuda]

Is this and #3263 still blocked?

Yes, will try to update next week, sorry

[AkihiroSuda]

Rebased

[AkihiroSuda]

Rebased again

[crazy-max]

It looks good for containerd worker but I'm not sure what we should do for dockerd with containerd snapshotter enabled.

[crazy-max]

Maybe having a factory in the integration sandbox to return the containerd version depending on the worker if that makes sense?

[AkihiroSuda]

I guess it can be revisited in a separate PR?
The current code is passing the current CI.

[AkihiroSuda]

Rebased

[tonistiigi]

Iiuc correctly, this also converts the blobs of base images. I don't think that is correct, at least as the default behavior. I think it may be possible to use the DiffIDs in the image config that the frontend passes to the exporter to figure out which layers are from the base image and which are not.

Not for this PR, but we are also assuming that archive/tar and compress/gzip are deterministic. We at least need to add test coverage that would reveal possible changes in Go updates and give us option to vendor old library if needed.

[tonistiigi]

Does this mean that if there is no blob for epoch but there is one for another one, we will run the differ again? Is it a good idea? I think it would be better to do something similar to compressions there we convert a blob to another one.

[tonistiigi]

Not sure I understand how this works. Doesn't it just fix a ref to a specific epoch forever? Instead, it should track multiple variants of blobs that are all associated with a ref (similar to compressions).

[AkihiroSuda]

it should track multiple variants of blobs that are all associated with a ref (similar to compressions).

Does that require putting the epoch value into an OCI descriptor?

[tonistiigi]

You mean for the remote build-cache or for something else? In build-cache we already have "created time" but not exactly the same(although both would be epoch value). We might need a separate field for that.

If you think for the case of avoiding regenerating blobs for base image layers if they were already generated with the same epoch, then yes, I think saving epoch would be needed. Otoh, I don't think any user would want us to regenerate the layers for the base image, just to change the timestamps in it.

[AkihiroSuda]

sr.queueSourceDateEpoch() is only called for new diffs, so it seems safe for now

[ktock]

Iiuc correctly, this also converts the blobs of base images. I don't think that is correct, at least as the default behavior.

Maybe we can introcue an envvar to experimentally allow this behavour?

Possible another way is managing epoch variants as compression variants by making compression.Type aware of the source date epoch.

[AkihiroSuda]

@tonistiigi Could you take a look?

[AkihiroSuda]

Rebased

[AkihiroSuda]

Is there anything I can do to get this merged? 🙏

[thaJeztah]

I have yet to fully comprehend the changes in this PR, but just a quick comment; IIUC, this PR changes SOURCE_DATE_EPOCH during build to become something that was previously ignored by BuildKit itself to become "active".

• 👍 pro: SOURCE_DATE_EPOCH (like, e.g. HTTP_PROXY): it's an env-var that's already known, so provides a "polished" experience
• 👎 con: change in behavior (previously, this would not directly affect building, but now it does)
• ☝️ before this, RUN instructions in a build COULD take this env-var into account (and do "what they do with it")
• ☝️ but now, BuildKit itself also takes this into account (so: a change in behavior)
• ☝️ which means that there's potentially a difference between builds (depending on what version of BuildKit / front-end is used), and there's no option to opt-in/opt-out of this behavior.

Maybe that's ok (in which case: ignore me), but perhaps not; in that case, should there be a BuildKit-specific build-arg instead? (e.g. BUILDKIT_SOURCE_DATE_EPOCH, or BUILD_SOURCE_DATE_EPOCH (or some other var; haven't thought of the name))

[AkihiroSuda]

IIUC, this PR changes SOURCE_DATE_EPOCH during build to become something that was previously ignored by BuildKit

Not true since v0.11:

The build arg value is used for:

• the created timestamp in the OCI Image Config
• the created timestamp in the history objects in the OCI Image Config
• the org.opencontainers.image.created annotation in the OCI Image Index
• the timestamp of the files exported with the local exporter
• the timestamp of the files exported with the tar exporter

https://github.com/moby/buildkit/blob/v0.11.6/docs/build-repro.md#source_date_epoch

(And we didn't apply the env var to file timestamps in v0.11, because containerd v1.7 was not GA at that point)

[AkihiroSuda]

Rebased

[tianon]

The opt-out is not setting SOURCE_DATE_EPOCH, right? (surely anyone setting that is expecting to have it help them achieve reproducible builds, and this makes that strictly more possible than before 😅)

[AkihiroSuda]

The opt-out is not setting SOURCE_DATE_EPOCH, right? (surely anyone setting that is expecting to have it help them achieve reproducible builds, and this makes that strictly more possible than before 😅)

Right. Also, setting export SOURCE_DATE_EPOCH=... inside RUN is not affected by this PR.

[thaJeztah]

The opt-out is not setting SOURCE_DATE_EPOCH, right? (surely anyone setting that is expecting to have it help them achieve reproducible builds, and this makes that strictly more possible than before 😅)

Right. Also, setting export SOURCE_DATE_EPOCH=... inside RUN is not affected by this PR.

The scenario I was thinking of was that (say)

ARG SOURCE_DATE_EPOCH=<foo>
RUN build-things.sh

Would perhaps change some files to use SOURCE_DATE_EPOCH, bot not others, and now SOURCE_DATE_EPOCH would be used for every file written to disk by the RUN command.

To be clear; I'm most definitely NOT against making this all more reproducible, but thought I'd list some data-points that could be relevant in deciding, and if we all agree that;

surely anyone setting that is expecting to have it help them achieve reproducible builds, and this makes that strictly more possible than before

Then 👍 👍

[thaJeztah]

• FWIW, this file is also updated in Support for building overlaybd images #3867 - does that PR need any changes for this to work with overlaybd ? /cc @HileQAQ

[AkihiroSuda]

Probably yes, but we can defer that, as overlaybd will stay optional.

[AkihiroSuda]

The scenario I was thinking of was that (say)

ARG SOURCE_DATE_EPOCH=<foo>
RUN build-things.sh

Would perhaps change some files to use SOURCE_DATE_EPOCH, bot not others, and now SOURCE_DATE_EPOCH would be used for every file written to disk by the RUN command.

I don't think this change breaks somebody's Image.
Users can still use RUN SOURCE_DATE_EPOCH=<foo> build-things.sh so that BuildKit itself does not care about SOURCE_DAET_EPOCH.

[tonistiigi]

Why make the whiteout time configurable at all? These files never end up in a container, so the timestamp value is never visible. Lets just always make it zero.

If you agree, then this part can be separated out as no blob tracking etc is needed for that.

[AkihiroSuda]

Unfortunately not possible with the current version of containerd (and I don't want this PR to be blocked until containerd v2.0), as https://pkg.go.dev/github.com/containerd/[email protected]/diff#Opt lacks a knob to set whiteout time without setting SOURCE_DATE_EPOCH.

[tonistiigi]

Not sure I understand. If containerd doesn't support it, why can't we just call archive.WithWhiteoutTime(zeroTime) in here?

[AkihiroSuda]

The problem is that we can't specify WithWhiteoutTime for Differ.Compare(), although we can pass WithSourceDateEpoch to it.

buildkit/cache/blobs.go

Lines 191 to 214 in 2ff0d2a

	if desc.Digest == "" && !isTypeWindows(sr) && comp.Type.NeedsComputeDiffBySelf() {
	// These compression types aren't supported by containerd differ. So try to compute diff on buildkit side.
	// This case can be happen on containerd worker + non-overlayfs snapshotter (e.g. native).
	// See also: https://github.com/containerd/containerd/issues/4263
	desc, err = walking.NewWalkingDiff(sr.cm.ContentStore).Compare(ctx, lower, upper,
	diff.WithMediaType(mediaType),
	diff.WithReference(sr.ID()),
	diff.WithCompressor(compressorFunc),
	)
	if err != nil {
	bklog.G(ctx).WithError(err).Warnf("failed to compute blob by buildkit differ")
	}
	}
	if desc.Digest == "" {
	desc, err = sr.cm.Differ.Compare(ctx, lower, upper,
	diff.WithMediaType(mediaType),
	diff.WithReference(sr.ID()),
	diff.WithCompressor(compressorFunc),
	)
	if err != nil {
	return nil, err
	}
	}

https://pkg.go.dev/github.com/containerd/[email protected]/diff#Comparer
https://pkg.go.dev/github.com/containerd/[email protected]/diff#WithSourceDateEpoch

[AkihiroSuda]

@tonistiigi 🙏

[AkihiroSuda]

The first one is the complicated one that has many considerations to the UX, cache system, compression variants etc. It needs more validation/review, and I'm not sure if we can get it into the upcoming release as is.

Would it be mergable if we add a new build arg like BUILDKIT_SOURCE_DATE_EPOCH_MODE=(conservative|aggressive) ? (in the labs channel?)

[tonistiigi]

Would it be mergable if we add a new build arg like BUILDKIT_SOURCE_DATE_EPOCH_MODE=(conservative|aggressive) ? (in the labs channel?)

This also makes changes to the blobs reference counting and core function signatures in cache pkg, so isn't ideal for an experimental/unsafe feature because it is not something that lives on its own and can be easily removed.

[AkihiroSuda]

Shall we just make this an exporter option?

[AkihiroSuda]

↑ @tonistiigi WDYT?
The idea is to introduce an image exporter option like rewrite-epoch.
The implementation will be similar to compression options like compression-level.

[AkihiroSuda]

• exporter/containerimage: new option: rewrite-timestamp (Apply SOURCE_DATE_EPOCH to file timestamps) #4057

[AkihiroSuda]

Closing.
Hope #4057 will get merged instead.